The UNION Operator

The UNION operator is used in SQL to combine the results of two or more SELECT statements into a single result set. When a web application contains a SQL injection vulnerability that occurs in a SELECT statement, you can often employ the UNION operator to perform a second, entirely separate query, and combine its results with those of the first. If the results of the query are returned to your browser, then this technique can be used to easily extract arbitrary data from within the database.

Recall the application that enabled users to search for books based on author, title, publisher, and other criteria. Searching for books published by Wiley causes the application to perform the following query:

SELECT author,title,year FROM books WHERE publisher = ‘Wiley’

Suppose that this query returns the following set of results:

Screenshot from 2020-05-06 22:03:32

You saw earlier in previous article how an attacker could supply crafted input to the search function to subvert the WHERE clause of the query and so return all of the books held within the database. A far more interesting attack would be to use the UNION operator to inject a second SELECT query and append its results to those of the first. This second query can extract data from a different database table altogether. For example, entering the search term

Wiley’ UNION SELECT username,password,uid FROM users–

will cause the application to perform the following query:

SELECT author,title,year FROM books WHERE publisher = ‘Wiley’
UNION
SELECT username,password,uid FROM users–‘

This returns the results of the original search followed by the contents of the users table:

Screenshot from 2020-05-06 22:05:34


NEXT is..Fingerprinting the Database……………,.,.,.,.,.,.,.,